In behavioral monitoring and analysis systems, the context within which a software application executes tasks is not used to determine whether an activity of that application is malicious. For example, an activity that inherently requires user interaction (e.g., use of a camera, sending SMS message, etc.) is typically performed in a “foreground” execution state, so the performance of such an activity while the software application is in a “background” execution state may indicate that the activity is malicious. Yet this is not generally taken into consideration when evaluating software applications for malware.
Conventional malware detection systems, do not account for the context within which a software application executes tasks. Conventional malware detection systems may rely instead on just the operational state of the software application to determine whether the application is permitted to execute certain tasks. For example, applications executing in the foreground may be presumed to be benign, while the same behavior may be considered to be malicious if executed in the background. This classification is insufficient to determine a user's intent because software applications may begin execution in the foreground with full knowledge and permission of the user, but then move to the background as the user waits for the task to finish execution. An executing task does not become malicious simply because the operating system moves the software application to the background.